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WHO  AM  I AND  WHY  AM  I HERE? 


Hold  Security  Threat  Intelligence  Program 

* 2,500,000,000  stolen  credentials  recovered 

* 2,000,000  site  breaches  identified 

* 50,000,000  stolen  financial  records  retrieved 

* Thousands  of  breaches  prevented 

* Adobe  System  Breach  2013 

* Target  Brands  Breach  2013 

* JP  Morgan  Chase  breach  2014 

* Insights  into  60%  of  major  security  breaches  since  2009 


ABOUT  ME 


10  years  CISO  in  a major  brokerage  firm 
Security  researcher  and  bug  hunter 
Pen  tester  and  auditor 


Hacker  Hunter 


WHO  IS  THE  MODERN  HACKER? 


MODERN  HACKER 


MODERN  HACKER 


HACKERS  VIEW  OF  US 


• War  of  stereotypes 

"I'm  fighting  a holy  war  against  the  West...  They  drive 
their  Rolls  Royces  and  go  home  to  their  million-dollar 
houses,  while  people  here  are  struggling.  I will  never 
harm  my  fellow  Slavs;  but  America,  Europe,  and 
A u st r alia  deserve  it. " 


- aqua  (jabberzeus) 
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FROM  BLACKMAIL  TO  BLACKMAIL 


BOTNETS  - NEW  LEVEL  OF  SOPHISTICATION 
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bat  in  NAT 

bat  out  of  NAT  (real  ip) 


Ha  1 0x  cosflaHDTCfl  nporvne>KyTOHHbie  cepee  fljifi  cjiHBaHHa 
Ha  maBHbiH  cepee,  cnncoK  MeHaeTcsi  Ka>KAbie  10-20  mhhvt 
101  h 100  nepeoflHHecKH  cjiHEatoT  Ha  maEHbi  hjih  ftpry 
Apyry,  e to  Bpervyia  20x  cjiHeatoT  ece  TOJibKO  Ha  lOx  h 
TaKtte  nepoAHHHO  Ha  pasHbie  1 0x  htoG  nyTaTb  menoHKy . 
CnncoK  wn  oGHOBJiaeTcsi  c paAOMHbiM  nopaA^OM 


SO  YOU  DECIDED  TO  BUILD  A BOTNET 


Step  1: 

Rent  Exploit  Kit 
Step  2: 

Rent  or  Build  Botnet  C&C 
Step  3: 

Crypt  (obfuscate)  Payload 
Step  4: 

Rent  a Virus  Distribution  Network 
Step  5: 

Configure  and  Start  Collecting  Data 


EXPLOIT  KITS  101 


* Popular 

• Windows 

• MS  Office 

• Flash 

• Java 


• Not  always  Oday 

• Easy  rent  by  day  or  week 


What  about  Anti  Virus? 


Stats  Bots  Scripts  Reports  DGA  Updater  Config  Logout 


Current  version:  1.4.1 
GMT:  May  19  2016  15:36:29 


Bots  Online 

Online  per  week 

Online  per  24  hour 

Dead  bots 

Installs  per  week 

Installs  per  24  hour 

1626  247  (15.2%) 

478  (29.4%) 

361  (22.2%) 

1063  (65.4%) 

32 

4 

(This  screenshot  has  been  altered  for  viewing  purposes) 


Antivirus 

Ali 

Online 

Unknown 

1074  (66.1%) 

204 

TrendMicro 

229(14.1%) 

23 

MSE 

112  (6.9%) 

10 

McAfee 

87  (5.4%) 

3 

Avg 

36  (2.2%) 

1 

KIS 

32  (2.0%) 

4 

Nod32 

29  (1.8%) 

2 

Avira 

19  (1.2%) 

0 

Avast 

8 (0.5%) 

0 

Windows 

X32 

X64 

XP 

103  (6.3%) 

0 (0.0%) 

103  (6.3%) 

Vista 

4 (0.2%) 

0 (0.0%) 

4 (0.2%) 

Server  2008 

12  (0.7%) 

67  (4.1%) 

79  (4.9%) 

Seven 

263  (16.2%) 

693  (42.6%) 

956  (58.8%) 

Server  2008  R2 

0 (0.0%) 

232  (14.3%) 

232  (14.3%) 

Eight 

0 (0.0%) 

3 (0.2%) 

3 (0.2%) 

Server  2012 

0 (0.0%) 

27  (1.7%) 

27  (1.7%) 

Eight+ 

1 (0.1%) 

73  (4.5%) 

74  (4.6%) 

Server  2012  R2 

0 (0.0%) 

82  (5.0%) 

82  (5.0%) 

Ten 

9 (0.6%) 

57  (3.5%) 

66  (4.1%) 

392  (24.1%) 

1234  (75.9%) 

OBFUSCATION  (CRYPTING) 


= BOTSHOP 


0 News 
Settings 
GD  Balance 
is  Tasks 
© FAQ 
& Price  list 


Balance:  3.95$  m £|S  ^ 


# 

URL 

Country 

Achieved 

Limit 

Status 

1 

http://ch34427.tmweb.ru/dfu7ZrvYQw.exe 

Brazil 

4 

1250 

Removed 

2 

http://ch34427.tmweb.ru/BaoywGGnxh.exe 

Europe 

116 

1000 

Removed 

- 

3 

http://ch34427.tmweb.ru/IU8qROgvKU.exe 

China 

0 

1000 

Removed 

4 

http://ch34427.tmweb.ru/WVMQMYItxQ.exe 

China 

0 

1000 

Removed 

5 

http://ch34427.tmweb.ru/WVMQMYltxQ.exe 

Brazil 

0 

1000 

Removed 

- 

6 

http://ch34427.tmweb.ru/mN1kykndvi.exe 

China 

0 

1000 

Removed 

7 

http  ://ch 34427 .tm  we  b.ru/mNIkykndvi.exe 

Brazil 

1 

1000 

Removed 

8 

http://ch34427.tmweb.ru/mN1kykndvi.exe 

Brazil 

3 

1000 

Removed 

9 

http://ch34427.tmweb.ru/mN1kykndvi.exe 

Turkey 

10 

1000 

Removed 

- 

10 

http://ch34427.tmweb.ru/dtoAq9glK8.exe 

Brazil 

0 

1000 

Removed 

11 

http://ch34427.tmweb.ru/mN1kykndvi.exe 

Uzbekistan 

27 

1000 

Removed 

- 

12 

http://nynewsguardianinternet.com/oreon/msdoc.exe 

Ukraine 

2 

1650 

Removed 

- 

13 

http://nynewsguardianinternet.com/oreon/55z/doc.exe 

Ukraine 

4 

1000 

Removed 

- 

14 

http://nynewsguardianinternet.com/oreon/55z/doc.exe 

Ukraine 

1 

1000 

Removed 

- 

WHAT  I NEED  TO  KNOW  ABOUT  BUILDING  C&C? 

■ »■ 


[the  rest  of  this  slide  is  intentionally  left  blank] 


Toolkits 


Botnets 

Bots 

Crackers 

Crypters 

Denial  of  Service 

Forensic  Tools 

Icons 

IP  & Port  Scanners 

Keyloggers 

Misc 

Misc.  Ebooks 
Misc.  Web  Tools 
Network  Tools 
Proxy  Grabbers 
Rats 

Resolvers 

Shells 

SMS  & Email  Bombers 
Source  Codes  & Scripts 
VPNs  & Security  Tools 
Worms,  Malware,  & Virus  Makers 


pBot 
Aldi  v2 

Andromeda  v2.06 

Ann  Loader 

AnnLoader 

Brainbot 

Cythosia 

Dirtlumper  V3 

Elite  Loader  3.0 

HerpesNet 

Kbot  Builder 

Pandora 

Pony  1.9 

Smoke Bot  Cracked 

Strike 

umbra 

Umbra  Loader 
Vertex  Net 
VertexNetvl  .2.1 
vnLoader 
vOlk  4 
Warbot 
YZF 
Zemra 


H^l^l^l^l^l^l^l^l^ 


1 adf.ly  AdfBotPro  [3.3.1] 

Aspire  Multiuser  Account  Maker 

Auto  Clicker 

GSearchBot3.2.5-rev3 

LambaTube 

mpgh.net  Spammer 

msn  freezer 

Skype  spammer 

Snapchat  Bomber 

Tiger  Bot  Cracked  by  loY 

Tubenoia 

Ultimate  Codename  Likes  [Cracked  Gold  Edition] 
Youtube  Blazzer  [VI. 0] 

Youtube  View  Booster  VI. 2 

Youtube  View  Booster  Ver.  1.2,  Cracked-  PRO  EDITION! 
YouView_bot_v1 .2 
ZeroTeam  Email  Spammer  v2.1.0.0 
& Anonymous  JCC  Autoclicker 

□ Auto  Clicker 

BTI  Pastebin  Mass  Downloader 
© Chrome  Skype  Spammer 
OCranksy's  IceAge 
^ DeLuXe  Chat  Spam 
^ EliteOP  - Youtube  Tool 

□ Eternals  Auto  Typer 
O Insatiable  2 


InstaGet  vl.2.7  Free 
3)  Instagram  Bot 

iSub4Sub  - Version  1.1 
^ iVeiw_For_you 
tife-]  Jays_youtube_bot_v1  .Ob 
(f>)  LikeaPros  SkypeCrasher 

yr  Minecraft  IN-Game  ChatSpammer  VI. 0 By  KWHful 
* NET  BOT 

yr  Normal  In-Chat  ChatSpammer  VI. 0 By  KWHful 
4 Nuisance  Pack 
IS  OmegleSpyX  vl  ,8a 
OmegleSpyX  v3.2 
Random  Username  Generator  vl 
H Republic  Hax  SpamGen 
Sharecash  Survey  Helper 
Q SkypeCrasher 
O Snowstone_Cracked 
■ System32DK  YouTube  W 
Gfc"  Type_Click 

® Universal  Chat  Spammer 
[Hi  VBSpam 

& Vulcan  Handy  Spammer 
IlilYouBoosterPRO  Cracked  By  Heat 
ip  Youtube_view_increaser 


BatchNIT  + OpenSource 

IgBlueBanana 

SjSpy 

'S  Poison  Ivy  2.3.2 

bRAT  + source_code 

IS  Cybergate  1 .8 

IS  KazyBot  1 .0  Lite 

IS  Quasar  1.1 

3 [SRC]  BIODOX 

Dark  Comet  4.0 

3 Loki  Rat 

ISSharK  3.0 

3 [SRC]  Zombie  Slayer 

IS  Dark  Comet  5.1 

3 Lost  Door  2.2  Public 

^Spycronic  1.02.1 

^AndroRAT 

IS  Dark  Comet  5.3 

ISMiniMo  0.7a  Public  Lite 

3 Spy  Net  0.7  Public 

^ Babylon  1. 6.0.0 

l^DarkMoon  4.11 

’SNjRATOJ 

3 Spy-Net  v2.6 

3 Batch  NIT 

^SDroidJack  3.0 

^NovaLite  v3.0 

3 Sub-7  0.10 

H Beast  2.06 

9 DroidJack  4.0 

^ Nuclear  RAT  2.1.0 

3 Tiny  0.2 

3 Bifrost  1.2.1  d 

^Gklspy 

ISOptix  1.33 

^Turkojan  4.0  Gold 

3 Blackshades  Public  Edition 

;Sip  killer 

3 Paradox  RAT 

3xRAT2.0 

'S  Blizzard  1.2 

^SjRat 

3 Poison  Ivy  1.0 

'SXtremeRat  3.5 

BUILD  YOUR  OWN  DISTRIBUTION  NETWORK 


• Traffic  Traffic  Traffic 

• Look  at  the  statistics 


BOTNET  DEMO 


Loki  PWS 


Main  HTTP  FTP/SSH  Others  Reports  Settings  Exit 


Operation  System  Statistics  (Reports) 


ANDROMEDA 


Menu 


Statistic 

Bots 

Black  list 

Tasks 

Settings 

Logs 


FormGrabber 


KeyLogger 


General  statistic 

Total  bots: 

667 

Online: 

30 

Online  per  hour: 

35 

Online  per  day: 

98 

Online  per  week: 

156 

New  bots  at  last  day: 

3 

Rejected  (RU/BY/UA/KZ): 

14 

Dead  bots: 

511 

Statistics  by  system 

Total  x86: 

49%  (327) 

Win8.1: 

2.8%  (19) 

Win8: 

0.9%  (6) 

Win7: 

29.5%  (197) 

Win2008: 

0.1%  (1) 

WinVista: 

1.2%  (8) 

Win2003: 

0.1%  (1) 

WinXP: 

14.2%  (95) 

Total  x64: 

51%  (340) 

Win8.1: 

19.5%  (130) 

Win8: 

2.5%  (17) 

Win7: 

28.6%  (191) 

WinVista: 

0.1%  (1) 

Win2003: 

0.1%  (1) 

Statistics  by  Build  ID 

QQQQQ216  100%  (6677 

| Statistics  by  Country 


Andromeda  bot  GEO  statistics 


tool  by  ammap.com 


| < 

> 

FT 

V 

ONYX  / Diamond  Fox 


^ SmartAdmin 


Muka 

tffr  Dashboard 

Q Bots 
A Configs 
E=l  Setti  ngs 


SERVERTIME 

05:12:38 


Home 


TOTAL 

in  .6k 


ONLINE 


Show  Bot  ex:  1 .234543 


a 


Q 


MOBILE  BOTNETS 


Tpynnbi 


• optimizer  Optimizer 

• flashplayer  #flashplayer 

• adult  #adult 

• adultpopunder  #adultpopunder 

• adultpop  #adultpop 

• click  #click 

• click2  #click2 

• ero#ero 

• ero2#ero2 

• erotic  #erotic 

• sense  #sense 

• xxx#xxx 

• theadult  #theadult 

• ad#ad 

• pig  #plg 


rjio6a/ibHan  CTaTMCTMKa 


J flMarpaMMa 


Ta6nm^a 


Bee  rpynnbi  * 


YHmcajibHbix  Xmbi  MoOmibHbix 


16  000 


12  000 


8 000 


4 000 


I4l  CTaTMCTMKa 
f HaCTpOMKM 
£ l1onb30BaTenM 
[H  reo-npoc|)MnM 
0 06HOBneHMfl 
^ CMMynJH^MB 


0 

11  okt.  2015  r.  12  okt.  2015  r.  13okt.  2015  r. 


14  okt.  2015  n 


15  okt.  2015  r. 


16  okt.  2015  r. 


17  OKT.  2015  r. 


18  okt.  2015  r. 


Injects  and  Grabbers 


* User  experience  hijacking 

• Specific  data  accumulation 


RATs 


Droi  dJacIc  - Welcome: 


\ a IE 


D Bvices 


O 


Generate  APK  HI 


Them  = 


= i534  A:  put' jjj^i 


Lounge] 


Coun,  phone  Mum  Per  Model 

Manufacturer 

ver.  IP  Address 

Running  app 

idle  time 

Ncl  Re  gists  red  SM-N  75  D 


Ncl  Registered  GT-I90S2L 


Port 


133? 


sam 


Slatus 


DrouttacK  says: 


Your  orflei 


93  File  Voyager 

^ SMSTneKKer 
£2)  Cal  Manager 
© WMatsApp  Reader 
Cl'1  Contacts  Browser 
Browser  History 
£j  Aj?p  Manager 
£r  GPS  Pin  pointer 
Remote  Ears 
Remote  Eyes 
0 Browser 
”J  l.lessage  Tcasler 
4 Volume  Control 
gg  Detailed  into 
^ Settings 

Reset  DJ  Server 


32Q453ec950...  test 


■1100120cc7d2...  TouchWizhame  Os 


Reception 


On 


DEFENSE  - HONEYPOTS 


• * 


Honeypots  are  not  only  systems 


• Components 

• Credentials 

• Features 


CONCLUSIONS 


• Botnets  are  BAD 

• Clever  and  Complicated 

• Botnet  collect  everything 

• Can  stop  them 


